Fines for Low Impact Assets–NERC April 2017 Deadline

November 2016

By George Z. Adkins

NERC has been empowered to establish and enforce mandatory Reliability Standards in the United States, Canada, and a portion of Mexico to assure the reliability of the bulk electric system (BES). The latest version of the NERC CIP cybersecurity Standards, known as CIPv5, contains requirements applicable to all NERC Registered Entities. In the past, these requirements applied solely to owners of Critical Assets, but under CIPv5 there are new obligations that pertain to Low Impact Assets. These requirements contain a financial penalty for every day out of compliance, retroactively.

At a minimum, Low Impact BES Cyber Systems should have documented processes and related evidence to support compliance with the following items prior to the compliance dates.

CIP-003-6 R4 – A process to delegate authority of the CIP Senior Manager

By April 1, 2017

CIP-003-6 R1.2 – Documented cyber security policies that address:

Cyber security awareness

Physical security controls

Electronic access controls

Cyber security incident response

CIP-003-6 R2 – Implementation of the cyber security plans for:

Cyber security awareness

Cyber security incident response

By September 1, 2018

CIP-003-6 R2 – Implementation of the cyber security plans for:

Physical security controls

Electronic access controls

A list of the most up to date implementation dates can be downloaded via this LINK.

Mitigating 100% of Cyber Risk is a financial hardship and nearly impossible. The services coordinated by Wortham Power Gen Insurance target mitigation of 80% of Cyber Risk at a reasonable cost. Our Cyber Insurance program then provides financial protection from the other 20%. Click HERE to complete the Cyber Risk Evaluation Tool to determine where your mitigation funds are best spent.

The Wortham Power Gen/APPA/Hometown Connections Cyber Liability Insurance Program includes coverage for Fines & Penalties related to a Cyber Breach.